A very basic mount: you get a directory with your secret keys as files. If the secret is updated, the file contents change (actually, symlinks to the actual mounts are updated).
1spec:
2 containers:
3 - name: container1
4 volumeMounts:
5 - name: m1
6 mountPath: /mnt/m1
7 volumes:
8 - name: m1
9 secret:
10 secretName: c1
items allows mounting only select keys, and changing the path they're mounted at,
including into subdirectories.
Each mounted item is a symlink.
It errors out creating the container if the item key doesn't exist.
Update propagation continues to work.
1spec:
2 containers:
3 - name: container1
4 volumeMounts:
5 - name: m1
6 mountPath: /mnt/m1 # directory with remapped keys, updated
7 volumes:
8 - name: m1
9 secret:
10 secretName: c1
11 items:
12 - key: k1
13 path: p1
subPath allows mounting a single item at the mountPath,
so you get a file instead of a directory.
If the key in the source volume referenced by subPath doesn't exist,
it mounts an empty directory.
All uses of subPath break secret update propagation.
I think the only reason to use subPath is when you want to mount into an existing directory in the image, without clobbering the other files in the directory.
1spec:
2 containers:
3 - name: container1
4 volumeMounts:
5 - name: vol1
6 mountPath: /mnt/mount1
7 subPath: key-from-source
8 volumes:
9 - name: vol1
10 secret:
11 secretName: my-secret
The projected versions are like the original,
but they allow combining multiple sources into a single mount.
1spec:
2 containers:
3 - name: container1
4 volumeMounts:
5 - name: m1
6 mountPath: /mnt/m1 # directory with keys, updated
7 volumes:
8 - name: m1
9 projected:
10 sources:
11 - secret:
12 name: c1
1spec:
2 containers:
3 - name: container1
4 volumeMounts:
5 - name: m1
6 mountPath: /mnt/m1 # directory with remapped keys, updated
7 volumes:
8 - name: m1
9 projected:
10 sources:
11 - secret:
12 name: c1
13 items:
14 - key: k1
15 path: p1